GDPR for Hospitality Businesses: Hotels, Restaurants, and Event Venues
Subtitle: Guest data, booking systems, and loyalty programmes — hospitality collects more personal data than almost any other sector
Tags: GDPR, Hospitality, Hotels, Data Protection
Description: GDPR compliance guide for hospitality businesses — hotels, restaurants, event venues, and caterers — covering guest data, booking platforms, loyalty programmes, and marketing.
Why Hospitality Has Significant GDPR Obligations
Think about everything a hotel knows about you: your full name, home address, passport number, payment card details, dietary requirements, room preferences, arrival and departure times, spending patterns, loyalty points balance, and perhaps your vehicle registration if you used the car park. Add CCTV footage from the lobby, lifts, and corridors, plus the metadata from your Wi-Fi login, and you have one of the most data-rich relationships between a business and a consumer of any sector.
GDPR applies in full to all of this. Every hotel, restaurant, event venue, and catering company that operates in the UK or EU — or that serves guests from those regions — must comply. The regulation does not scale down its requirements for small independent operators. A boutique guesthouse with six rooms has the same fundamental obligations as a major hotel chain, though the practical implementation differs in complexity.
The stakes are real. The hospitality sector has seen enforcement action across Europe, including fines for excessive CCTV retention, inadequate security measures, and unlawful direct marketing. The ICO in the UK has also issued reprimands to hospitality businesses for poor data governance.
What Data Hospitality Businesses Collect
The volume and variety of personal data in hospitality is exceptional:
Standard personal data: Guest names, addresses, email addresses, phone numbers, nationality, date of birth (for certain bookings or licensing compliance), and payment card details.
Special category data: Dietary requirements — which can reveal religious beliefs (halal, kosher, no beef), health conditions (coeliac disease, diabetes-related restrictions), and allergies. Under GDPR Article 9, special category data requires an explicit legal basis beyond ordinary personal data. For hospitality, this is typically explicit consent or, in some cases, vital interests (where a severe allergy creates a safety obligation).
Operational data: Room preferences, previous stay history, complaints, and incident reports. Loyalty programme points balances and redemption history.
Technical data: CCTV footage, vehicle registration numbers from car park systems, and Wi-Fi login data.
The combination of these categories means most hospitality businesses are handling data that demands careful governance — not just a cookie banner and a downloaded privacy policy template.
Online Booking Platforms: Joint Controller or Processor?
If your hotel or restaurant takes bookings through Booking.com, Expedia, OpenTable, or similar platforms, you need to understand your legal relationship with that platform. The answer matters because it determines your liability and your data-sharing obligations.
Joint controllers both determine the purposes and means of processing. If you and Booking.com jointly decide how guest data is used — for example, both parties use it for their own marketing — you are joint controllers. GDPR Article 26 requires joint controllers to have a written arrangement setting out their respective responsibilities.
Data processors process data only on your instructions and for your purposes. A booking engine that simply passes reservation data to your property management system without using it for the platform's own purposes is more likely to be a processor, and you need a Data Processing Agreement (DPA) in place.
In practice, platforms like Booking.com are typically joint controllers for the data they hold on their own platform, and processors for the data they pass to you. Review each platform's terms of service carefully and ensure DPAs are in place. If you receive guest data from a third-party platform, your own privacy notice must disclose this source and explain how you will use that data.
Property Management Systems as Data Processors
Most hotels and venue operators use a Property Management System (PMS) — Opera, Mews, Lightspeed, Cloudbeds, or similar. These systems hold comprehensive guest profiles, booking histories, billing information, and operational notes.
Your PMS provider is a data processor. GDPR Article 28 requires a written DPA before any processing begins. The DPA must set out:
- What data is being processed and for what purpose
- The processor's security obligations
- Sub-processing arrangements (cloud infrastructure providers, for example)
- Your rights to audit and inspect
- Data deletion obligations on contract termination
Most established PMS vendors will have standard DPAs available. Request and sign these before you go live. Review sub-processor lists annually — particularly if the system uses US-based cloud infrastructure, which raises international transfer considerations under Chapter V of GDPR.
Loyalty Programmes: Consent vs. Legitimate Interest
Loyalty programmes are a marketing tool as much as a guest benefit, and the legal basis for processing loyalty programme data deserves careful thought.
For programme administration itself — tracking points, processing redemptions, maintaining account records — legitimate interest is typically the appropriate lawful basis. You have a genuine business reason, and guests have a clear expectation that their points will be tracked.
For direct marketing communications — emails, SMS messages, push notifications — the position is more nuanced. Under PECR (in the UK) and the ePrivacy Directive (across the EU), electronic marketing to individuals requires either prior consent or, in limited circumstances, the soft opt-in for similar products or services to existing customers.
The soft opt-in applies when: the contact details were collected in the course of a sale, the marketing is for similar products or services, and the recipient was given a clear opportunity to opt out at the time of collection and in every subsequent message. For loyalty programme members who made a booking, this can work — but only if you implemented it correctly at sign-up.
Best practice: Collect explicit marketing consent at loyalty programme enrolment, separate from the programme terms and conditions. Make it easy for members to update their preferences. Do not treat a loyalty programme enrolment as blanket consent to every communication channel you operate.
Special Category Data: Dietary Requirements
This deserves its own section because it is consistently underestimated in hospitality.
When a guest tells you they keep kosher, require halal food, or cannot eat gluten, they are disclosing information that falls within GDPR's special category data provisions — specifically data revealing religious or philosophical beliefs, or health data. Article 9 prohibits processing such data without an explicit legal basis.
For hospitality, the most defensible basis is explicit consent — the guest actively provides this information knowing it will be used to accommodate their requirements. This is different from ordinary consent: it must be specific, informed, and freely given.
Practical implications:
- Do not store dietary requirements beyond the stay they relate to unless the guest explicitly asks you to save preferences for future visits
- Do not share dietary information beyond the departments that need it (kitchen, catering) without a clear justification
- Do not use dietary information for marketing profiling
- Ensure staff with access to this data understand its sensitivity
- Include processing of dietary data in your Records of Processing Activities (ROPA)
CCTV Throughout the Premises
CCTV is nearly universal in hotels, restaurants, and event venues — covering entrances, lobbies, car parks, bars, and corridors. Each camera captures personal data of guests, staff, and visitors, and GDPR applies in full.
Key requirements:
Signage: GDPR requires that individuals are informed about CCTV processing before they enter the monitored area. This means visible signs at each entrance explaining who operates the cameras, the purpose of the processing, and where to find further information (typically your privacy notice URL).
Retention periods: This is where many operators fall short. CCTV footage should be retained only for as long as necessary. For most hospitality purposes — security and incident investigation — 28 to 31 days is the standard maximum. Longer retention requires specific justification. Footage relating to a known incident can be retained longer, but should be isolated and treated separately.
Access requests: Guests and other individuals have a right of access to CCTV footage in which they appear. You must be able to respond to these requests within one month, which means having a process for locating, redacting third parties from, and providing relevant footage.
Legitimate interest assessment: CCTV will typically rely on legitimate interest as its lawful basis. Document this in a Legitimate Interest Assessment (LIA) covering the purpose, necessity, and balancing test.
Wi-Fi Guest Data
Offering guest Wi-Fi has become standard. The data collected at login — email addresses, device identifiers, names, browsing metadata — requires careful handling.
What you can collect:
- Minimal data needed to provide the service (device MAC address, session timestamps)
- Contact details if guests voluntarily provide them to access the Wi-Fi
What requires specific justification:
- Email addresses collected for marketing purposes: you need a lawful basis, and consent is almost always the right one
- Browsing data: monitoring guest browsing activity is disproportionate for most hospitality purposes and requires very strong justification
- Retention of login data beyond the stay
Best practice: Use a captive portal that is transparent about what you collect and why. If you are using a third-party Wi-Fi provider (common in larger hotels), review their DPA. Do not use guest Wi-Fi signup data for marketing without explicit consent obtained at the time of login. Do not retain session logs beyond 30 days unless required for a specific security purpose.
Review Platforms: Responding to Reviews Containing Personal Data
TripAdvisor, Google Reviews, and similar platforms present an interesting GDPR consideration. When a guest leaves a review that names a member of staff, references a specific incident, or contains enough detail to identify a third party, that information is personal data.
Your response to reviews is also subject to GDPR considerations. Avoid:
- Confirming personal details about a reviewer or other guests in a public response
- Disclosing why a guest was asked to leave, what they were charged, or other account-specific information
- Naming staff members in ways that could cause harm
The platform relationship: Review platforms are independent data controllers for the reviews they host. You are not responsible for what the platform does with the data, but you are responsible for your responses. Keep public responses general and move specific resolution to private channels.
If a review contains false personal data about a named staff member, you may have grounds to request its removal — but this is a platform-specific process, not a GDPR mechanism.
Compliance Checklist
For Independent Operators (restaurants, guesthouses, independent hotels)
- [ ] Publish a privacy notice that covers all data processing activities: bookings, CCTV, loyalty, Wi-Fi, marketing
- [ ] Ensure cookie consent on your website is GDPR-compliant (not pre-ticked boxes, not consent by scrolling)
- [ ] Sign DPAs with your booking system provider, PMS, email marketing platform, and Wi-Fi provider
- [ ] Post CCTV signage at all monitored entrances
- [ ] Set a CCTV retention period (28 days maximum for routine footage) and enforce it
- [ ] Document your lawful basis for each processing activity in a simple ROPA
- [ ] Train front-of-house and management staff on how to handle data subject access requests
- [ ] Treat dietary requirements as special category data — collect it on a per-stay basis with explicit consent
- [ ] Do not pre-tick marketing consent boxes on booking forms
- [ ] Have a documented process for data breach reporting (72-hour notification obligation to the ICO/supervisory authority)
For Hotel Chains and Multi-Site Operators
All of the above, plus:
- [ ] Appoint a Data Protection Officer (DPO) if you process special category data at large scale or systematically monitor guests
- [ ] Conduct Privacy Impact Assessments (PIAs) for new systems — new PMS, new loyalty platform, new Wi-Fi infrastructure
- [ ] Maintain a comprehensive ROPA covering all group entities
- [ ] Audit third-party platform relationships annually (Booking.com, Expedia, OTAs, travel agents)
- [ ] Implement group-wide data retention schedules enforced technically, not just by policy
- [ ] Review international data transfer mechanisms for any US-based systems (SCCs or adequacy decisions)
- [ ] Establish a central function for handling DSARs across all properties
- [ ] Conduct staff training at property level, not just head office
Getting Started
If you are running a hospitality business and are not sure where your GDPR exposure actually sits, the most useful first step is to audit what data your website and booking tools are collecting and sharing — before looking at your internal systems.
Run a free scan of your website at Custodia to see which trackers, cookies, and third-party services are active. Many hospitality websites run booking widgets, review embeds, and marketing pixels that are sharing visitor data with third parties without adequate consent infrastructure. The scan takes 60 seconds and gives you a clear view of your current exposure.
From there, Custodia can help you implement compliant cookie consent, generate a privacy policy that reflects what your site actually does, and monitor ongoing compliance as your technology stack evolves.
This article provides general guidance on GDPR obligations for hospitality businesses. It does not constitute legal advice. Your specific obligations depend on your jurisdiction, the size of your operation, and the systems you use. Consult a qualified data protection advisor for advice tailored to your situation.
Top comments (0)